feat: Validate GitHub Actions schema (#2416)

ChristopherHX · web-flow · commit 102e6cbce061 · 2024-08-13T03:40:21.000Z
* feat: Validate GitHub Actions schema

**BREAKING** previously accepted workflows are now invalid

* update code

* fix tests

* Bump docker / fix lint

* fix test action due to moving the file

* remove unused function

* fix parsing additional functions

* fix allow int

* update docker dep, due to linter
diff --git a/go.mod b/go.mod
@@ -8,9 +8,9 @@ require (
 	github.com/adrg/xdg v0.5.0
 	github.com/andreaskoch/go-fswatch v1.0.0
 	github.com/creack/pty v1.1.21
-	github.com/docker/cli v26.1.4+incompatible
+	github.com/docker/cli v26.1.5+incompatible
 	github.com/docker/distribution v2.8.3+incompatible
-	github.com/docker/docker v26.1.3+incompatible
+	github.com/docker/docker v26.1.5+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/go-git/go-billy/v5 v5.5.0
 	github.com/go-git/go-git/v5 v5.12.0
diff --git a/go.sum b/go.sum
@@ -48,10 +48,16 @@ github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK
 github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8=
 github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v26.1.5+incompatible h1:NxXGSdz2N+Ibdaw330TDO3d/6/f7MvHuiMbuFaIQDTk=
+github.com/docker/cli v26.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo=
 github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
+github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
+github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
 github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
diff --git a/pkg/model/action.go b/pkg/model/action.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"strings"
 
+	"github.com/nektos/act/pkg/schema"
 	"gopkg.in/yaml.v3"
 )
 
@@ -78,6 +79,18 @@ type Action struct {
 	} `yaml:"branding"`
 }
 
+func (a *Action) UnmarshalYAML(node *yaml.Node) error {
+	// Validate the schema before deserializing it into our model
+	if err := (&schema.Node{
+		Definition: "action-root",
+		Schema:     schema.GetActionSchema(),
+	}).UnmarshalYAML(node); err != nil {
+		return err
+	}
+	type ActionDefault Action
+	return node.Decode((*ActionDefault)(a))
+}
+
 // Input parameters allow you to specify data that the action expects to use during runtime. GitHub stores input parameters as environment variables. Input ids with uppercase letters are converted to lowercase during runtime. We recommended using lowercase input ids.
 type Input struct {
 	Description string `yaml:"description"`
diff --git a/pkg/model/workflow.go b/pkg/model/workflow.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/nektos/act/pkg/common"
+	"github.com/nektos/act/pkg/schema"
 	log "github.com/sirupsen/logrus"
 	"gopkg.in/yaml.v3"
 )
@@ -66,6 +67,18 @@ func (w *Workflow) OnEvent(event string) interface{} {
 	return nil
 }
 
+func (w *Workflow) UnmarshalYAML(node *yaml.Node) error {
+	// Validate the schema before deserializing it into our model
+	if err := (&schema.Node{
+		Definition: "workflow-root-strict",
+		Schema:     schema.GetWorkflowSchema(),
+	}).UnmarshalYAML(node); err != nil {
+		return err
+	}
+	type WorkflowDefault Workflow
+	return node.Decode((*WorkflowDefault)(w))
+}
+
 type WorkflowDispatchInput struct {
 	Description string   `yaml:"description"`
 	Required    bool     `yaml:"required"`
diff --git a/pkg/model/workflow_test.go b/pkg/model/workflow_test.go
@@ -280,15 +280,8 @@ jobs:
         uses: ./local-action
 `
 
-	workflow, err := ReadWorkflow(strings.NewReader(yaml))
-	assert.NoError(t, err, "read workflow should succeed")
-	assert.Len(t, workflow.Jobs, 1)
-	assert.Len(t, workflow.Jobs["test"].Steps, 5)
-	assert.Equal(t, workflow.Jobs["test"].Steps[0].Type(), StepTypeInvalid)
-	assert.Equal(t, workflow.Jobs["test"].Steps[1].Type(), StepTypeRun)
-	assert.Equal(t, workflow.Jobs["test"].Steps[2].Type(), StepTypeUsesActionRemote)
-	assert.Equal(t, workflow.Jobs["test"].Steps[3].Type(), StepTypeUsesDockerURL)
-	assert.Equal(t, workflow.Jobs["test"].Steps[4].Type(), StepTypeUsesActionLocal)
+	_, err := ReadWorkflow(strings.NewReader(yaml))
+	assert.Error(t, err, "read workflow should fail")
 }
 
 // See: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idoutputs
diff --git a/pkg/runner/runner_test.go b/pkg/runner/runner_test.go
@@ -196,16 +196,20 @@ func (j *TestJobFileInfo) runTest(ctx context.Context, t *testing.T, cfg *Config
 	assert.Nil(t, err, j.workflowPath)
 
 	planner, err := model.NewWorkflowPlanner(fullWorkflowPath, true)
-	assert.Nil(t, err, fullWorkflowPath)
-
-	plan, err := planner.PlanEvent(j.eventName)
-	assert.True(t, (err == nil) != (plan == nil), "PlanEvent should return either a plan or an error")
-	if err == nil && plan != nil {
-		err = runner.NewPlanExecutor(plan)(ctx)
-		if j.errorMessage == "" {
-			assert.Nil(t, err, fullWorkflowPath)
-		} else {
-			assert.Error(t, err, j.errorMessage)
+	if err != nil {
+		assert.Error(t, err, j.errorMessage)
+	} else {
+		assert.Nil(t, err, fullWorkflowPath)
+
+		plan, err := planner.PlanEvent(j.eventName)
+		assert.True(t, (err == nil) != (plan == nil), "PlanEvent should return either a plan or an error")
+		if err == nil && plan != nil {
+			err = runner.NewPlanExecutor(plan)(ctx)
+			if j.errorMessage == "" {
+				assert.Nil(t, err, fullWorkflowPath)
+			} else {
+				assert.Error(t, err, j.errorMessage)
+			}
 		}
 	}
 
@@ -334,7 +338,7 @@ func TestRunEvent(t *testing.T) {
 				config.EventPath = eventFile
 			}
 
-			testConfigFile := filepath.Join(workdir, table.workflowPath, "config.yml")
+			testConfigFile := filepath.Join(workdir, table.workflowPath, "config/config.yml")
 			if file, err := os.ReadFile(testConfigFile); err == nil {
 				testConfig := &TestConfig{}
 				if yaml.Unmarshal(file, testConfig) == nil {
diff --git a/pkg/runner/testdata/local-action-via-composite-dockerfile/action/action.yml b/pkg/runner/testdata/local-action-via-composite-dockerfile/action/action.yml
@@ -1,44 +1,44 @@
-inputs:
-  who-to-greet:
-    default: 'Mona the Octocat'
-runs:
-  using: composite
-  steps:
-  # Test if GITHUB_ACTION_PATH is set correctly before all steps
-  - run: stat $GITHUB_ACTION_PATH/push.yml
-    shell: bash
-  - run: stat $GITHUB_ACTION_PATH/action.yml
-    shell: bash
-  - run: '[[ "$GITHUB_ACTION_REPOSITORY" == "" ]] && [[ "$GITHUB_ACTION_REF" == "" ]]'
-    shell: bash
-  - uses: ./actions/docker-local
-    id: dockerlocal
-    with:
-      who-to-greet: ${{inputs.who-to-greet}}
-  - run: '[[ "${{ env.SOMEVAR }}" == "${{inputs.who-to-greet}}" ]]'
-    shell: bash
-  - run: '[ "${SOMEVAR}" = "Not Mona" ] || exit 1'
-    shell: bash
-    env:
-      SOMEVAR: 'Not Mona'
-  - run: '[[ "${{ steps.dockerlocal.outputs.whoami }}" == "${{inputs.who-to-greet}}" ]]'
-    shell: bash
-  # Test if overriding args doesn't leak inputs
-  - uses: ./actions/docker-local-noargs
-    with:
-      args: ${{format('"{0}"', 'Mona is not the Octocat') }}
-      who-to-greet: ${{inputs.who-to-greet}}
-  - run: '[[ "${{ env.SOMEVAR }}" == "Mona is not the Octocat" ]]'
-    shell: bash
-  - uses: ./localdockerimagetest_
-  # Also test a remote docker action here
-  - uses: actions/hello-world-docker-action@v1
-    with:
-      who-to-greet: 'Mona the Octocat'
-  # Test if GITHUB_ACTION_PATH is set correctly after all steps
-  - run: stat $GITHUB_ACTION_PATH/push.yml
-    shell: bash
-  - run: stat $GITHUB_ACTION_PATH/action.yml
-    shell: bash
-  - run: '[[ "$GITHUB_ACTION_REPOSITORY" == "" ]] && [[ "$GITHUB_ACTION_REF" == "" ]]'
-    shell: bash
+inputs:
+  who-to-greet:
+    default: 'Mona the Octocat'
+runs:
+  using: composite
+  steps:
+  # Test if GITHUB_ACTION_PATH is set correctly before all steps
+  - run: stat $GITHUB_ACTION_PATH/../push.yml
+    shell: bash
+  - run: stat $GITHUB_ACTION_PATH/action.yml
+    shell: bash
+  - run: '[[ "$GITHUB_ACTION_REPOSITORY" == "" ]] && [[ "$GITHUB_ACTION_REF" == "" ]]'
+    shell: bash
+  - uses: ./actions/docker-local
+    id: dockerlocal
+    with:
+      who-to-greet: ${{inputs.who-to-greet}}
+  - run: '[[ "${{ env.SOMEVAR }}" == "${{inputs.who-to-greet}}" ]]'
+    shell: bash
+  - run: '[ "${SOMEVAR}" = "Not Mona" ] || exit 1'
+    shell: bash
+    env:
+      SOMEVAR: 'Not Mona'
+  - run: '[[ "${{ steps.dockerlocal.outputs.whoami }}" == "${{inputs.who-to-greet}}" ]]'
+    shell: bash
+  # Test if overriding args doesn't leak inputs
+  - uses: ./actions/docker-local-noargs
+    with:
+      args: ${{format('"{0}"', 'Mona is not the Octocat') }}
+      who-to-greet: ${{inputs.who-to-greet}}
+  - run: '[[ "${{ env.SOMEVAR }}" == "Mona is not the Octocat" ]]'
+    shell: bash
+  - uses: ./localdockerimagetest_
+  # Also test a remote docker action here
+  - uses: actions/hello-world-docker-action@v1
+    with:
+      who-to-greet: 'Mona the Octocat'
+  # Test if GITHUB_ACTION_PATH is set correctly after all steps
+  - run: stat $GITHUB_ACTION_PATH/../push.yml
+    shell: bash
+  - run: stat $GITHUB_ACTION_PATH/action.yml
+    shell: bash
+  - run: '[[ "$GITHUB_ACTION_REPOSITORY" == "" ]] && [[ "$GITHUB_ACTION_REF" == "" ]]'
+    shell: bash
diff --git a/pkg/runner/testdata/local-action-via-composite-dockerfile/push.yml b/pkg/runner/testdata/local-action-via-composite-dockerfile/push.yml
@@ -6,4 +6,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
-    - uses: ./local-action-via-composite-dockerfile
+    - uses: ./local-action-via-composite-dockerfile/action
diff --git a/pkg/runner/testdata/local-remote-action-overrides/config/config.yml b/pkg/runner/testdata/local-remote-action-overrides/config/config.yml
diff --git a/pkg/schema/action_schema.json b/pkg/schema/action_schema.json
diff --git a/pkg/schema/schema.go b/pkg/schema/schema.go
diff --git a/pkg/schema/workflow_schema.json b/pkg/schema/workflow_schema.json

-Original file line number
+Diff line change
 	github.com/adrg/xdg v0.5.0
 	github.com/andreaskoch/go-fswatch v1.0.0
 	github.com/creack/pty v1.1.21
 -	github.com/docker/cli v26.1.4+incompatible
 +	github.com/docker/cli v26.1.5+incompatible
 	github.com/docker/distribution v2.8.3+incompatible
 -	github.com/docker/docker v26.1.3+incompatible
 +	github.com/docker/docker v26.1.5+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/go-git/go-billy/v5 v5.5.0
 	github.com/go-git/go-git/v5 v5.12.0